Building a LAMP Server
with SSL and mod_perl Support
by Bruce Timberlake
Please note - these directions were originally written in 2002 and are no longer relevant. They are left here for historical purposes, but please do not use them to set up a LAMP server.
This document will walk you through the installation of what is known as a "LAMP" system:
Linux, Apache, MySQL and PHP.
Depending on who you talk to, the P also stands for Perl or
Python, but in general, it is assumed to be PHP. I run CentOS
on my servers; this HOWTO was written targetting CentOS/Red Hat/Fedora. I have had requests
for SuSE- and Debian-specific versions as well, so I will work on those in the future (donations might help speed
that process up!). The main difference between the distributions is in the paths to the startup scripts. Red Hat
systems used /etc/rc.d/init.d
and SuSE uses /etc/init.d
.
This document is different from my LAMP howto because we're going to add SSL and mod_perl support to Apache. SSL is important for ecommerce, or really any web transactions you want to encrypt. mod_perl is used as a faster, better way to add Perl support to your website than traditional CGIs, which require the entire Perl interpreter to be loaded each time. mod_perl puts a complete Perl interpreter right inside Apache!
I designed this document so you can just copy/paste each line or block of commands into your shell session and it will "just work" for you. This avoids tedious typing, and the inevitable typos or missed steps that result. These commands work properly via copy/paste. If you are having problems and you are not using copy/paste, please re-check your typing before sending me an email saying "It doesn't work."
Text in a "command" box like this one is a literal Linux commandline, and should be typed or pasted exactly as written.
One note: many many people have followed these directions as written, and have not had any problems. If you are having a problem, chances are it's something you are doing (or not doing), something different about your computer, etc. It is probably NOT this procedure. :)
Initial Steps
PLEASE BE AWARE THAT A SOURCE-BASED INSTALLATION LIKE THIS ONE IS NOT NEEDED FOR A BASIC LAMP SERVER! You should only be doing a source-based installation if you need to alter fundamental settings in one or more components of the LAMP stack (e.g., you need a feature in PHP that isn't in the default RPM). If you are just getting started with LAMP, use the binaries provided by your distribution - it is much simpler, and a lot easier to upgrade later.
Most out-of-the-box Red Hat Linux installations will have one or more of the LAMP components installed via RPM files. I personally prefer installing things like this from source, so I get the most control over what's compiled in, what's left out, etc. But source code installs can wreak havoc if overlaid on top of RPM installs, as the two most likely won't share the same directories, etc.
If you have not yet installed your Linux OS, or just for future reference, do not choose to install Apache, PHP, or MySQL during the system installation. Then you can immediately proceed with the source-based install listed here.
Note: to install applications from source code, you will need a C++ compiler (gcc) installed. This is generally taken care of, but I've had enough queries about it that I've added this note to avoid getting more! You should use your distribution's install CDs to get the proper version of the compiler. Or, if you are using an RPM based distro, you can use a site like http://www.rpmfind.net/ to locate the correct RPM version for your system. (You will obviously not be able to use/rebuild a source RPM to get the compiler installed, as you need the compiler to build the final binary RPM!) On a Fedora system, you can issue this command:
su - root
yum install gcc gcc-c++
Log in as root
Because we will be installing software to directories that "regular" users don't have
write access to, and also possibly uninstalling RPM versions of some applications, we'll
log in as root
. The only steps that need root
access are the actual
installation steps, but by doing the configure
and make
steps as root
,
the source code will also be inaccessible to "regular" users.
If you do not have direct access (via keyboard) to the server, PLEASE use Secure Shell (SSH) to access the server and not telnet!! Whenever you use telnet (or plain FTP for that matter), you are transmitting your username, password, and all session information in "plain text". This means that anyone who can access a machine someplace between your PC and your server can snoop your session and get your info. Use encryption wherever possible!
Remove RPM Versions of the Applications
Before we start with our source code install, we need to remove any/all existing RPM files for the LAMP applications. To find out what RPMs are already installed, use the RPM query command:
rpm -qa
in conjunction with grep
to filter your results:
rpm -qa | grep -i apache
rpm -qa | grep -i httpd
rpm -qa | grep -i php
rpm -qa | grep -i mysql
rpm -qa | grep -i openssl
rpm -qa | grep -i mod_ssl
rpm -qa | grep -i mod_perl
The 'httpd' search is in case you have Apache2 installed via RPM.
To remove the RPMs generated by these commands, do
rpm -e filename
for each RPM you found in the query. If you have any content in your MySQL database already, the RPM removal step should not delete the database files. When you reinstall MySQL, you should be able to move all those files to your new MySQL data directory and have access to it all again.
RPM may complain when you try to uninstall OpenSSL, as many other installed applications probably depend on it. If so, go ahead and leave it in. We will be installing it to a different location than the RPM default install, so you'll end up with two separate versions of OpenSSL on the server. Not really a big deal. And we'll be using the "new" one in our steps by explicitly naming the directory when it's needed.
Get the Source Code for all Applications
We want to put all our source code someplace central, so it's not getting mixed up in someone's home directory, etc.
cd /usr/local/src
One way application source code is distributed is in what are known as "tarballs." The tar
command
is usually associated with making tape backups - tar
stands for Tape ARchive.
It's also a handy way to pack up multiple files for easy distribution. Use the man tar
command to
learn more about how to use this very flexible tool.
Here are the versions of all the components we'll use:
MySQL - =$mysqlversion?>
Apache - =$apacheversion?>
mod_ssl -
OpenSSL -
mod_perl -
PHP -
Please note: these are the only versions of these that I have verified these steps against. If you use
another version of any component, especially a newer version, this HOWTO may not be accurate.
wget http://www.php.net/distributions/php-.tar.gz
wget http://www.php.net/distributions/php-.tar.gz
wget http://apache.oregonstate.edu/httpd/apache_.tar.gz
wget http://www.modssl.org/source/mod_ssl-.tar.gz
wget http://www.openssl.org/source/openssl-.tar.gz
wget http://perl.apache.org/dist/mod_perl-.tar.gz
There may be an Apache mirror closer to you - check their mirror
page for other sources. Then insert the URL you get in place of the above for the wget
command.
For MySQL, go to http://www.mysql.com/ and choose an appropriate mirror to download from.
Unpack the Source Code
tar zxf php-.tar.gz
tar zxf apache_.tar.gz
tar zxf mysql-.tar.gz
tar zxf mod_ssl-.tar.gz
tar zxf openssl-.tar.gz
tar zxf mod_perl-.tar.gz
This should leave you with the following directories:
/usr/local/src/php-
/usr/local/src/apache_
/usr/local/src/mysql-
/usr/local/src/openssl-
/usr/local/src/mod_ssl-
/usr/local/src/mod_perl-
Install OpenSSL
cd /usr/local/src/openssl-
./config \
--prefix=/usr/local/openssl \
-fPIC
make && make test && make install
cd ../mod_ssl-
make clean
./configure \
--with-apache=../apache_ \
--with-ssl=../openssl-
Patch Apache with mod_perl
cd ../mod_perl-
perl Makefile.PL \
EVERYTHING=1 \
APACHE_SRC=../apache_/src \
USE_APACI=1 \
PREP_HTTPD=1 \
DO_HTTPD=1
make && make install
Build Apache
cd ../apache_
make clean
CFLAGS='-DEAPI' \
SSL_BASE=../openssl- \
./configure \
--prefix=/usr/local/apache \
--enable-module=ssl \
--enable-shared=ssl \
--enable-module=rewrite \
--enable-shared=max \
--enable-module=so \
--activate-module=src/modules/perl/libperl.a \
--enable-module=perl
make
make certificate TYPE=custom
make install
Note that if you encrypt the certificate keys during the make certificate
step,
you will be required to enter the password each time you start the Apache server.
Start Apache with SSL enabled
First, we want to set Apache up with a normal start/stop script in
/etc/rc.d/init.d
so it can be auto-started and controlled like
other system daemons. Set up a symbolic link for the apachectl
utility (installed automatically as part of Apache):
ln -s /usr/local/apache/bin/apachectl /etc/rc.d/init.d/apache
Then set up auto-start for runlevel 3 (where the server will go by default):
ln -s /etc/rc.d/init.d/apache /etc/rc.d/rc3.d/S90apache
Then start the daemon:
/etc/rc.d/init.d/apache startssl
If you ever want to start Apache without SSL enabled, just do
/etc/rc.d/init.d/apache start
The "start" option is what Apache will use by default when auto-starting
at server boot. In order to start SSL by default, you will need to edit
/usr/local/apache/bin/apachectl
and make the "startssl" command
just "start" (make the original "start" something like "startnossl"). Remember
to update the usage info as well!
Change this section:
case $ARG in
start)
if [ $RUNNING -eq 1 ]; then
echo "$0 $ARG: httpd (pid $PID) already running"
continue
fi
if $HTTPD ; then
echo "$0 $ARG: httpd started"
else
echo "$0 $ARG: httpd could not be started"
ERROR=3
fi
;;
startssl|sslstart|start-SSL)
if [ $RUNNING -eq 1 ]; then
echo "$0 $ARG: httpd (pid $PID) already running"
continue
fi
if $HTTPD -DSSL; then
echo "$0 $ARG: httpd started"
else
echo "$0 $ARG: httpd could not be started"
ERROR=3
fi
;;
to something like this:
case $ARG in
startnossl)
if [ $RUNNING -eq 1 ]; then
echo "$0 $ARG: httpd (pid $PID) already running"
continue
fi
if $HTTPD ; then
echo "$0 $ARG: httpd started"
else
echo "$0 $ARG: httpd could not be started"
ERROR=3
fi
;;
start|startssl|sslstart|start-SSL)
if [ $RUNNING -eq 1 ]; then
echo "$0 $ARG: httpd (pid $PID) already running"
continue
fi
if $HTTPD -DSSL; then
echo "$0 $ARG: httpd started"
else
echo "$0 $ARG: httpd could not be started"
ERROR=3
fi
;;
Then, to update the usage
info, change
echo "usage: $0 (start|stop|...)"
cat << EOF
start - start httpd
startssl - start httpd with SSL enabled
stop - stop httpd
to
echo "usage: $0 (start|startnossl|stop|...)"
cat << EOF
startnossl - start httpd without SSL enabled
start - start httpd with SSL enabled
startssl - start httpd with SSL enabled
stop - stop httpd
You can check that Apache is running properly by doing:
ps -ef
and look for the httpd
processes.
A note from the author
I hope you find this guide, or tutorial, call it what you will, useful, and I also hope it saves you some time.